Current Series Release Notes¶
18.0.0.0b1-261¶
New Features¶
Added a new variable
octavia_security_group_additional_rulesthat allows configuration of additional security group rules for Amphora.
Introduces 3 new variables cinder_default_availability_zone, octavia_cinder_volume_size and octavia_cinder_volume_type. using these variables, enables Octavia to use different Cinder configurations.
Added variables
octavia_gigabytesandoctavia_num_volumesto control quota defenitions for the project where Octavia Amphorae is being spawned.
Octavia requires SSL certificates for communication with the amphora. This adds the automatic creation of self signed certificates for this purpose. It uses different certificate authorities for amphora and control plane thus insuring maximum security.
Octavia is creating vms, securitygroups, and other things in its project. In most cases the default quotas are not big enough. This will adjust them to (configurable) reasonable values.
Now you can set up
octavia_management_net_subnet_gatewayvariable to create the management subnet with default gateway set. By default the subnet created without gateway.
A new parameter, octavia_ovn_enabled, is added to support the Octavia OVN provider driver. The Octavia OVN provider driver is an alternative to amphora and uses built-in support for load balancing withing OVN/OVS. The ml2.ovn Neutron plugin is required for this functionality. The OVN provider can be used during load balancer creation by specifying the –provider ovn argument for the openstack loadbalancer create command.
Added new variable
octavia_enabled_provider_agentsthat allows to enable Provider Agents for Octavia.
The service setup in keystone for octavia will now be executed through delegation to the
octavia_service_setup_hostwhich, by default, islocalhost(the deploy host). Deployers can opt to rather change this to the utility container by implementing the following override inuser_variables.yml.octavia_service_setup_host: "{{ groups['utility_all'][0] }}"
With adding zookeeper as coordination backend Octavia will be configured to use amphorav2 as default provider driver. This will result in creating a new database and jobboard configuration. You can control database name with variable
octavia_galera_persistence_databaseand existing octavia db user will be granted ALL permissions to that database.
A new parameter octavia_provider_network_mtu is added to set the MTU to 1500 by default. This is important for deployments which allow jumbo frames while setting the management to the standard Ethernet MTU. The MTU can be still changed at any point during the initial octavia deployment or with the openstack network set –mtu command line.
Added variables to better control SSH keypair generation for Octavia:
octavia_ssh_key_manage(True): Enables an Octavia role to generate and manage SSH keypair to be used for Amphoras.octavia_resources_deploy_host(localhost): The host on which SSH key will be created.octavia_ssh_key_dir(${HOME}/.ssh): Directory under which keypair will be created on theoctavia_resources_deploy_hostoctavia_ssh_key_comment(Generated-by-Nova): Comment for the keypair.octavia_ssh_key_format(ssh): Format for the stored private keyoctavia_ssh_key_type(rsa): Type of the SSH keypair generatedoctavia_ssh_key_size(2048): Private key length.
The role now supports using the distribution packages for the OpenStack services instead of the pip ones. This feature is disabled by default and can be enabled by simply setting the
octavia_install_methodvariable todistro.
Support separate oslo.messaging services for RPC and Notifications to enable operation of separate and different messaging backend servers in octavia.
Now you can use cinder-volume with Octavia. To enable the feature set
octavia_cinder_enabledtoTrue. Also you may need to override the default settings:octavia_octavia_conf_overrides: cinder: volume_type: 'my-volume-type' volume_size: 32
Upgrade Notes¶
Changed default for
octavia_cinder_volume_sizeto 20gb in order to align with value ofoctavia_amp_disk
Amphorae flavor will have 0 disk set (through variable
octavia_amp_disk), whenoctavia_cinder_enabled: True.
The
octaiva_db_pool_sizevariable was previously deprecated and is now removed. A replacement variable was introduced in the Xena release.
Default provider driver for Octavia has been changed to
amphorav2, since amphora and octavia drivers are deprecated for removal.
Default values for variables
octavia_loadbalancer_topologyandoctavia_enable_anti_affinityhas been switched toACTIVE_STANDBYandTrueaccordingly to reflect most reasonable production setup. You can define these variables to their previous defaults if you want to preserve behaviour.
A new parameter octavia_provider_network_mtu is added to set the MTU to 1500 by default. This is important for deployments which allow jumbo frames while setting the management to the standard Ethernet MTU. The MTU can be still changed at any point during the initial octavia deployment or with the openstack network set –mtu command line.
Default value for
octavia_security_group_rule_cidris changed and defined to the CIDR of Octavia management network. To preserve previous behaviour, please override the variable to 0.0.0.0/0.
Deprecation Notes¶
For consistency reasons,
octavia_db_pool_sizewas deprecated in favor ofoctavia_db_max_pool_sizewhich is in a standardized format used in other repositories.octavia_db_pool_sizesupport it will be removed in Yoga release.
The variable
octavia_requires_pip_packagesis no longer required and has therefore been removed.
The variable
octavia_image_downloaderhas been removed. The image download now uses the same host designated by theoctavia_service_setup_hostfor the image download.
The variable
octavia_ansible_endpoint_typehas been removed. The endpoint used for ansible tasks has been hard set to the ‘admin’ endpoint as is commonly used across all OSA roles.
The rabbitmq server parameters have been replaced by corresponding oslo.messaging RPC and Notify parameters in order to abstract the messaging service from the actual backend server deployment. - octavia_oslomsg_rpc_servers replaces octavia_rabbitmq_servers - octavia_oslomsg_rpc_port replaces octavia_rabbitmq_port - octavia_oslomsg_rpc_use_ssl replaces octavia_rabbitmq_use_ssl - octavia_oslomsg_rpc_userid replaces octavia_rabbitmq_userid - octavia_oslomsg_rpc_vhost replaces octavia_rabbitmq_vhost - octavia_oslomsg_notify_servers replaces octavia_rabbitmq_telemetry_servers - octavia_oslomsg_notify_port replaces octavia_rabbitmq_telemetry_port - octavia_oslomsg_notify_use_ssl replaces octavia_rabbitmq_telemetry_use_ssl - octavia_oslomsg_notify_userid replaces octavia_rabbitmq_telemetry_userid - octavia_oslomsg_notify_vhost replaces octavia_rabbitmq_telemetry_vhost - octavia_oslomsg_notify_password replaces octavia_rabbitmq_telemetry_password
Remove
octavia_amp_image_idoption as the corresponding configuration option in Octaviaamp_image_idis deprected and image tags should be used instead.
Security Issues¶
It is recommended that the certificate generation is always reviewed by security professionals since algorithms and key-lengths considered secure change all the time.
Avoid setting the quotas too high for your cloud since this can impact the performance of other servcies and lead to a potential Denial-of-Service attack if Loadbalancer quotas are not set properly or RBAC is not properly set up.
Bug Fixes¶
Octavia role now handles quota defenition properly when BFV is set for Amphorae by defining
octavia_cinder_enabled: True
The quota for security group rules was erroneously set to 100 with the aim to have 100 security group rules per security group instead of to 100*#security group rules. This patch fixes this discrepancy.
An Octavia
amphoraprovider was returned back to the list of supported providers to satisfy Magnumoctavia_providerdefault label.
Other Notes¶
Default value for
octavia_management_net_dhcpwas set to False. It means that Octavia management network will not have DHCP enabled by default if os_octavia role is responsible for managaing it.
